NIST: Longer passwords beat complicated ones

NIST: Longer passwords beat complicated ones

Monday will be the final day for the public to comment on proposed rules from the National Institute of Standards and Technology that would simplify the standards for passwords that government agencies must use and that private sector companies are encouraged to follow.

The proposal would eradicate password complexity rules, such as requirements that passwords must contain an uppercase letter, a lowercase letter, a number and a symbol. NIST said in the proposal that user behavior often leads these complexity rules to backfire, so companies should simplify their password rules and focus on password length rather than composition.

For banks and credit unions, simplified password rules would reduce friction in online and mobile banking while improving security. The recommendations from NIST provide a kind of green light to any institutions hoping to implement similar changes to their password requirements.

In the place of password complexity rules, NIST suggests companies check passwords against a blocklist, which would include passwords leaked in breaches and one-word passwords that are easily guessed (such as “password” or the name of the service).

Complicated password requirements often create a maze that frustrates users attempting to create secure passwords. These rules have inspired online forums for publicly shaming companies that enforce such rules and a popular online game that takes players on a journey of creating a password with increasingly absurd requirements.

Often, these complicated rules backfire, according to NIST.

“Highly complex passwords introduce a new potential vulnerability: they are less likely to be memorable and more likely to be written down or stored electronically in an unsafe manner,” the agency said in its proposed rules. “While these practices are not necessarily vulnerable, some methods of recording such secrets will be.”

See also  At $79,995, Should We Give Thanks For This Twin Turbo 2004 Dodge Viper SRT10?

More importantly, though, research cited by the agency indicates that users respond in predictable ways when faced with password complexity requirements. This means “most common password creation policies remain vulnerable to online attack,” according to the 2009 paper by a team led by Matt Weir, a Florida State University researcher.

“This is due to a subset of the users picking easy-to-guess passwords that still comply with the password creation policy in place, for example ‘Password!1’,” the paper stated.

While less complex passwords would still be vulnerable to these predictable behaviors, NIST’s proposal requires agencies to provide users guidance on choosing a stronger password if their submitted one is found on a blocklist. This, the agency says, discourages trivial modifications to weak passwords.

While password complexity rules have the theoretical advantages of requiring users to use unique passwords that are harder to crack, they often just push users to use predictable variations of the same password they use everywhere else. That’s according to a blog post from Enzoic, a cybersecurity company that specializes in compromised password screening and account takeover protection, about the proposed rules.

“This doesn’t necessarily mean that all password complexity rules should be removed, but that we need to reconsider what makes a password complex while also considering its usefulness,” Enzoic said in the post. “This is why the NIST password guidelines and many other organizations are removing the requirement for special characters in passwords.”

Frustratingly for users, companies and agencies often thwart their attempts to create memorable passwords — such as sentences or phrases — by disallowing certain characters in their passwords, such as spaces.

See also  GM's Cruise to offer robotaxis on Uber's platform from next year

Companies often disallow these characters in passwords as a means of thwarting SQL injection attacks, in which an attacker modifies or deletes a database by entering commands through online forms. However, these attacks only work if the company’s password system is severely flawed — namely, if the company fails to hash the password before it reaches the database.

Hashing a password transforms it into text that cannot be used in injection attacks. It is a one-way function that turns passwords into a string of characters with a fixed length. Hashing the same password always yields the same result, which is how companies should authenticate passwords. Taking a hash and trying to revert it to the password, however, is designed to be impossible.

Rather than enforce rules on the composition of a password, companies should focus on the length of the password as the “primary factor in characterizing password strength,” according to NIST’s proposed rules.

Notably, the proposed rules also encourage companies to increase the maximum number of characters a user can use in their password to at least 64, or even longer for better results.

“Users should be encouraged to make their passwords as lengthy as they want, within reason,” the proposed rules read.

The only limiting factor for how long a password should be is how long it takes to hash it. This time increases for “extremely long passwords (perhaps megabytes long),” according to NIST’s proposed rule. A password that long would contain millions of characters, making it longer than the book Moby-Dick.